CVE-2015-8866

Name	CVE-2015-8866
Description	ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-499-1

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
php5	source	wheezy	5.4.45-0+deb7u3		DLA-499-1
php5	source	(unstable)	5.6.6+dfsg-1

Notes

https://bugs.php.net/bug.php?id=64938
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
http://framework.zend.com/security/advisory/ZF2015-06 -> Relation to CVE-2015-5161
https://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
Fixed in 5.6.6, 5.5.22
https://www.openwall.com/lists/oss-security/2016/04/21/8